CVE-2022-3213

Vulnerability

A heap buffer overflow vulnerability exists in ImageMagick's ReadTIFFImage function when processing malformed TIFF files. The bug was introduced because the memory allocation for strip_pixels used a formula that did not account for the image bit depth: extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff) [3][4]. This can lead to an undersized buffer when, for example, the image depth exceeds 8 bits per sample. The issue affects ImageMagick versions prior to the commit fix in both the ImageMagick6 [3] and ImageMagick7 [4] repositories. No specific version number was disclosed in the available references, but the fix was committed on an unspecified date before the CVE publication on 2022-09-19 [1][2].

Exploitation

An attacker needs only to craft a malicious TIFF file with specially chosen parameters that trigger the heap buffer overflow when the file is processed by an application using ImageMagick. No special network position or authentication is required; the vulnerability can be triggered by any user or process that causes ImageMagick to parse the malformed TIFF file (e.g., via image upload, thumbnail generation, or command-line invocation). The exact exploitation steps involve providing a malformed TIFF that leads to a heap buffer overflow in the stripped TIFF conversion path [3][4].

Impact

A successful exploit results in a heap buffer overflow, which can cause undefined behavior, including application crashes, leading to a denial of service. The available references do not provide evidence of achieving code execution or information disclosure; the impact is limited to instability and denial of service as stated in the description [1][2].

Mitigation

The issue is fixed by the commits 1aea203eb36409ce6903b9e41fe7cb70030e8750 (ImageMagick6) [3] and 30ccf9a0da1f47161b5935a95be854fe84e6c2a2 (ImageMagick7) [4], which adjust the extent calculation to include the image depth factor: extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff). Users should update to a version of ImageMagick that includes this fix or apply the patch. No workaround was disclosed in the available references. Red Hat assigned a medium severity and closed the associated Bugzilla as NOTABUG [2], indicating that they did not consider this a security vulnerability in their product, but the upstream project addressed it as a bug fix.